/bin/ping (from iputils-ping) uses the security capabilities to allow
users to use the program:
```
$ getcap /bin/ping
/bin/ping cap_net_raw=ep
```
Debian testing/unstable images (variant important) contain security and
system attributes:
```
$ mmdebstrap --variant=important bullseye root.tar
$ tar --xattrs --xattrs-include='*' -vv -tf root.tar | grep -B 1 '^ '
-rwxr-xr-x* 0/0 77432 2021-02-02 18:49 ./bin/ping
x: 20 security.capability
--
drwxr-sr-x* 0/102 0 2021-05-07 15:10 ./var/log/journal/
x: 44 system.posix_acl_access
x: 44 system.posix_acl_default
```
When generating a squashfs image with mmdebstrap 0.7.5-2, these security
capabilities are lost. Example for building a squashfs image in a
minimal Debian unstable schroot:
```
$ apt install -y mmdebstrap squashfs-tools-ng
$ mmdebstrap --variant=important buster root.squashfs
$ rdsquashfs -x /bin/ping root.squashfs
$
```
tar2sqfs from squashfs-tools-ng 1.0.4-1 supports encoding extended
attributes from the namespace `user`, `trusted`, and `security` (see
`include/sqfs/xattr.h`). GNU tar (version 1.34) supports these three
namespaces plus the namespace `system`.
Passing extended attributes from the `system` namespace to tar2sqfs will
produce an error:
```
ERROR: squashfs does not support xattr prefix of system.posix_acl_default
```
So pass the extended attributes to tar2sqfs, but exclude the `system`
namespace. Then ping will keep its security attributes:
```
$ rdsquashfs -x /bin/ping root.squashfs
security.capability=0x0100000200200000000000000000000000000000
```
Closes: #988100
Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
gpg command "--list-keys" requires input files to be passed with
option "--keyring" and each file must match type "public keyring v4"
while gpg command "--show-keys" doesn't require extra options and
handles also ASCII-armored public keyrings as well.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
3 years ago
2 changed files with 239 additions and 70 deletions
For a more elegant way to setup merged-/usr via symlinks and for setting up a
sub-essential busybox-based chroot, see the B<--hook-dir> option below.
=item B<--extract-hook>=I<command>
Execute arbitrary I<command>s after the Essential:yes packages have been
@ -6201,10 +6303,14 @@ if the scripts in two directories depend upon each other, the scripts must be
placed into a common directory and be named such that they get added in the
correct order.
Example: Run mmdebstrap with eatmydata
Example 1: Run mmdebstrap with eatmydata
--hook-dir=/usr/share/mmdebstrap/hooks/eatmydata
Example 2: Setup chroot for installing a sub-essential busybox-based chroot
--hook-dir=/usr/share/mmdebstrap/hooks/busybox
=item B<--skip>=I<stage>[,I<stage>,...]
B<mmdebstrap> tries hard to implement sensible defaults and will try to stop
@ -6399,16 +6505,17 @@ Without that option the default format is I<auto>. The following formats exist:
When selecting this format (the default), the actual format will be inferred
from the I<TARGET> positional argument. If I<TARGET> was not specified, then
the B<tar> format will be chosen. If I<TARGET> happens to be F</dev/null>, then
the B<null> format will be chosen. If I<TARGET> is an existing directory, and
does not equal to C<->, then the B<directory> format will be chosen. If
I<TARGET> ends with C<.tar> or with one of the filename extensions listed in
the section B<COMPRESSION>, or if I<TARGET> equals C<->, or if I<TARGET> is a
named pipe (fifo) or if I<TARGET> is a character special file like
F</dev/null>, then the B<tar> format will be chosen. If I<TARGET> ends with
C<.squashfs> or C<.sqfs>, then the B<squashfs> format will be chosen. If
<TARGET> ends with C<.ext2> then the B<ext2> format will be chosen. If none of
these conditions apply, the B<directory> format will be chosen.
the B<tar> format will be chosen. If I<TARGET> happens to be F</dev/null> or if
standard output is F</dev/null>, then the B<null> format will be chosen. If
I<TARGET> is an existing directory, and does not equal to C<->, then the
B<directory> format will be chosen. If I<TARGET> ends with C<.tar> or with one
of the filename extensions listed in the section B<COMPRESSION>, or if
I<TARGET> equals C<->, or if I<TARGET> is a named pipe (fifo) or if I<TARGET>
is a character special file, then the B<tar> format will be chosen. If
I<TARGET> ends with C<.squashfs> or C<.sqfs>, then the B<squashfs> format will
be chosen. If <TARGET> ends with C<.ext2> then the B<ext2> format will be
chosen. If none of these conditions apply, the B<directory> format will be
chosen.
=item B<directory>, B<dir>
@ -6440,8 +6547,11 @@ C<tar2sqfs> utility, which will create an xz compressed squashfs image with a
blocksize of 1048576 bytes in I<TARGET>. The special I<TARGET> C<-> does not
work with this format because C<tar2sqfs> can only write to a regular file. If
you need your squashfs image be named C<->, then just explicitly pass the
relative path to it like F<./->. Since C<tar2sqfs> does not support extended
attributes, the resulting image will not contain them.
relative path to it like F<./->. The C<tar2sqfs> tool only supports a limited
set of extended attribute prefixes. Therefore, extended attributes are disabled
in the resulting image. If you need them, create a tarball first and remove the
extended attributes from its pax headers. Refer to the B<EXAMPLES> section for
how to achieve this.
=item B<ext2>
@ -6462,7 +6572,8 @@ A temporary chroot directory will be created in C<$TMPDIR> or F</tmp> if
C<$TMPDIR> is not set. After the bootstrap is complete, the temporary chroot
will be deleted without being part of the output. This is most useful when the
desired artifact is generated inside the chroot and it is transferred using
special hooks such as B<sync-out>.
special hooks such as B<sync-out>. It is also useful in situations where only
the exit code or stdout or stderr of a process run in a hook is of interest.
=back
@ -6675,7 +6786,7 @@ Performs cleanup tasks like:
=over 4
=item * Removes the package lists and apt cache. This can be disabled using B<--skip=cleanup/apt>.
=item * Removes the package lists (unless B<--skip=cleanup/apt/lists>) and apt cache (unless B<--skip=cleanup/apt/cache>). Both removals can be disabled by using B<--skip=cleanup/apt>.
=item * Remove all files that were put into the chroot for setup purposes, like F</etc/apt/apt.conf.d/00mmdebstrap>, the temporary apt config and the qemu-user-static binary. This can be disabled using B<--skip=cleanup/mmdebstrap>.
@ -6719,7 +6830,16 @@ Instead of a tarball, a squashfs image can be created:
By default, B<mmdebstrap> runs B<tar2sqfs> with C<--no-skip --exportable
--compressor xz --block-size 1048576>. To choose a different set of options,
pipe the output of B<mmdebstrap> into B<tar2sqfs> manually.
and to filter out all extended attributes not supported by B<tar2sqfs>, pipe
the output of B<mmdebstrap> into B<tar2sqfs> manually like so: